Has anyone seen SELinux log to /var/log/messages but *not* to /var/log/audit/audit.log? I have a situation that is being denied by SELinux and logging avc denials to /var/log/messages, however I can't determine a way to fix it because I get nothing for this denial logged to /var/log/audit/audit.log. This prevents me from generating a policy using audit2allow or sealert.
Situation: I have a RHEL 7-based server which is running bind-chroot and I'd like for rsyslog to collect and send the named.log and query.log to our centralized rsyslog server. With SELinux in enforcing mode, rsyslog cannot read the named logs.
Do I need to write my own custom SELinux policy?
Thanks,
Matthew Wilkinson
On Mon, Sep 18, 2017 at 6:55 PM, Wilkinson, Matthew < MatthewWilkinson@alliantenergy.com> wrote:
Has anyone seen SELinux log to /var/log/messages but *not* to /var/log/audit/audit.log? I have a situation that is being denied by SELinux and logging avc denials to /var/log/messages, however I can't determine a way to fix it because I get nothing for this denial logged to /var/log/audit/audit.log. This prevents me from generating a policy using audit2allow or sealert.
Situation: I have a RHEL 7-based server which is running bind-chroot and I'd like for rsyslog to collect and send the named.log and query.log to our centralized rsyslog server. With SELinux in enforcing mode, rsyslog cannot read the named logs.
Do I need to write my own custom SELinux policy?
Hi Matthew,
I am afraid a new policy would not help you. Is auditd running and writing other events (like intentionally triggered ones) to the audit.log?
Subsequent question, how the AVC's look like? Creating a policy module might not be the best solution to your problem.
On 09/20/2017 08:09 AM, Zdenek Pytela wrote:
On Mon, Sep 18, 2017 at 6:55 PM, Wilkinson, Matthew <MatthewWilkinson@alliantenergy.com mailto:MatthewWilkinson@alliantenergy.com> wrote:
Has anyone seen SELinux log to /var/log/messages but *not* to /var/log/audit/audit.log? I have a situation that is being denied by SELinux and logging avc denials to /var/log/messages, however I can't determine a way to fix it because I get nothing for this denial logged to /var/log/audit/audit.log. This prevents me from generating a policy using audit2allow or sealert. Situation: I have a RHEL 7-based server which is running bind-chroot and I'd like for rsyslog to collect and send the named.log and query.log to our centralized rsyslog server. With SELinux in enforcing mode, rsyslog cannot read the named logs. Do I need to write my own custom SELinux policy?
Hi Matthew,
I am afraid a new policy would not help you. Is auditd running and writing other events (like intentionally triggered ones) to the audit.log?
Good question, is auditd running and writing other events? Also, it will be very helpful if you attach your AVC. There can be situation when auditd is not running yet during boot, so AVCs are logged into journal/syslog.
Please attach AVC and we can move forward.
Lukas.
Subsequent question, how the AVC's look like? Creating a policy module might not be the best solution to your problem.
--
Zdenek Pytela, Technical support engineer and team lead Customer Engagement and Experience, Red Hat Czech E-mail: zpytela@redhat.com mailto:zpytela@redhat.com, IRC: zpytela
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
Sure thing, here is the AVC in the /var/log/messages file. I don't see this in /var/log/audit/audit.log but I see other logs in there.
Sep 20 09:03:14 redacted kernel: type=1400 audit(1505916193.999:16716): avc: denied { read } for pid=33245 comm="in:imfile" name="named.log" dev="dm-9" ino=143 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:named_cache_t:s0 tclass=file
Srangely, auditd doesn't seem to be running and systemctl can't interact with it. Possibly because of a dependency
Failed to stop auditd.service: Operation refused, unit auditd.service may be requested by dependency only. See system logs and 'systemctl status auditd.service' for details.
● auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Wed 2017-09-13 14:06:04 CDT; 6 days ago Docs: man:auditd(8) https://people.redhat.com/sgrubb/audit/ Process: 911 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS) Process: 910 ExecStart=/sbin/auditd -n (code=exited, status=6) Main PID: 910 (code=exited, status=6)
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
--Matthew Wilkinson
-----Original Message----- From: Lukas Vrabec [mailto:lvrabec@redhat.com] Sent: Wednesday, September 20, 2017 01:55 To: selinux@lists.fedoraproject.org Subject: Re: Unable to use audit2allow on avc denials
[This is an external email. Be cautious with links, attachments and responses.]
********************************************************************** On 09/20/2017 08:09 AM, Zdenek Pytela wrote:
On Mon, Sep 18, 2017 at 6:55 PM, Wilkinson, Matthew <MatthewWilkinson@alliantenergy.com mailto:MatthewWilkinson@alliantenergy.com> wrote:
Has anyone seen SELinux log to /var/log/messages but *not* to /var/log/audit/audit.log? I have a situation that is being denied by SELinux and logging avc denials to /var/log/messages, however I can't determine a way to fix it because I get nothing for this denial logged to /var/log/audit/audit.log. This prevents me from generating a policy using audit2allow or sealert. Situation: I have a RHEL 7-based server which is running bind-chroot and I'd like for rsyslog to collect and send the named.log and query.log to our centralized rsyslog server. With SELinux in enforcing mode, rsyslog cannot read the named logs. Do I need to write my own custom SELinux policy?
Hi Matthew,
I am afraid a new policy would not help you. Is auditd running and writing other events (like intentionally triggered ones) to the audit.log?
Good question, is auditd running and writing other events? Also, it will be very helpful if you attach your AVC. There can be situation when auditd is not running yet during boot, so AVCs are logged into journal/syslog.
Please attach AVC and we can move forward.
Lukas.
Subsequent question, how the AVC's look like? Creating a policy module might not be the best solution to your problem.
--
Zdenek Pytela, Technical support engineer and team lead Customer Engagement and Experience, Red Hat Czech E-mail: zpytela@redhat.com mailto:zpytela@redhat.com, IRC: zpytela
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
-- Lukas Vrabec Software Engineer, Security Technologies Red Hat, Inc. _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
Interesting, I discovered auditd dead on a RHEL7 server a few days ago; no logs as to why it stopped.
"/sbin/service auditd restart" will kick it back online, FYI.
Mark Salowitz, CTR CTS II PaaS Engineer USCG Operations Systems Center
-----Original Message----- From: Wilkinson, Matthew [mailto:MatthewWilkinson@alliantenergy.com] Sent: Wednesday, September 20, 2017 10:06 AM To: Lukas Vrabec; selinux@lists.fedoraproject.org; Zdenek Pytela Subject: [Non-DoD Source] RE: Unable to use audit2allow on avc denials
Sure thing, here is the AVC in the /var/log/messages file. I don't see this in /var/log/audit/audit.log but I see other logs in there.
Sep 20 09:03:14 redacted kernel: type=1400 audit(1505916193.999:16716): avc: denied { read } for pid=33245 comm="in:imfile" name="named.log" dev="dm-9" ino=143 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:named_cache_t:s0 tclass=file
Srangely, auditd doesn't seem to be running and systemctl can't interact with it. Possibly because of a dependency
Failed to stop auditd.service: Operation refused, unit auditd.service may be requested by dependency only.
See system logs and 'systemctl status auditd.service' for details.
● auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2017-09-13 14:06:04 CDT; 6 days ago
Docs: man:auditd(8)
https://urldefense.proofpoint.com/v2/url?u=https-3A__people.redhat.com_sgrub...
Process: 911 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
Process: 910 ExecStart=/sbin/auditd -n (code=exited, status=6)
Main PID: 910 (code=exited, status=6)
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
--Matthew Wilkinson
-----Original Message-----
From: Lukas Vrabec [mailto:lvrabec@redhat.com]
Sent: Wednesday, September 20, 2017 01:55
To: selinux@lists.fedoraproject.org
Subject: Re: Unable to use audit2allow on avc denials
[This is an external email. Be cautious with links, attachments and responses.]
**********************************************************************
On 09/20/2017 08:09 AM, Zdenek Pytela wrote:
On Mon, Sep 18, 2017 at 6:55 PM, Wilkinson, Matthew
<MatthewWilkinson@alliantenergy.com
Has anyone seen SELinux log to /var/log/messages but *not* to
/var/log/audit/audit.log? I have a situation that is being denied by
SELinux and logging avc denials to /var/log/messages, however I
can't determine a way to fix it because I get nothing for this
denial logged to /var/log/audit/audit.log. This prevents me from
generating a policy using audit2allow or sealert.
Situation: I have a RHEL 7-based server which is running bind-chroot
and I'd like for rsyslog to collect and send the named.log and
query.log to our centralized rsyslog server. With SELinux in
enforcing mode, rsyslog cannot read the named logs.
Do I need to write my own custom SELinux policy?
Hi Matthew,
I am afraid a new policy would not help you. Is auditd running and
writing other events (like intentionally triggered ones) to the audit.log?
Good question, is auditd running and writing other events? Also, it will be very helpful if you attach your AVC. There can be situation when auditd is not running yet during boot, so AVCs are logged into journal/syslog.
Please attach AVC and we can move forward.
Lukas.
Subsequent question, how the AVC's look like? Creating a policy module
might not be the best solution to your problem.
--
Zdenek Pytela, Technical support engineer and team lead Customer
Engagement and Experience, Red Hat Czech
E-mail: zpytela@redhat.com mailto:zpytela@redhat.com, IRC: zpytela
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe
send an email to selinux-leave@lists.fedoraproject.org
--
Lukas Vrabec
Software Engineer, Security Technologies Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
_______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
I actually saw a message in the systemctl status that it could not read /var/log/audit which is a separate mount. I removed audit package, umounted /var/log/audit, rm -rf /var/log/audit, and then reinstalled and remounted and I can start the service just fine now.
Weird.
I will try my rsyslog setup again and see if I can get some answers to the SELinux question now.
--Matthew Wilkinson
-----Original Message----- From: Salowitz, Mark A CTR [mailto:Mark.A.Salowitz@uscg.mil] Sent: Wednesday, September 20, 2017 09:24 To: Wilkinson, Matthew; Lukas Vrabec; selinux@lists.fedoraproject.org; Zdenek Pytela Subject: RE: Unable to use audit2allow on avc denials
[This is an external email. Be cautious with links, attachments and responses.]
********************************************************************** Interesting, I discovered auditd dead on a RHEL7 server a few days ago; no logs as to why it stopped.
"/sbin/service auditd restart" will kick it back online, FYI.
Mark Salowitz, CTR CTS II PaaS Engineer USCG Operations Systems Center
-----Original Message----- From: Wilkinson, Matthew [mailto:MatthewWilkinson@alliantenergy.com] Sent: Wednesday, September 20, 2017 10:06 AM To: Lukas Vrabec; selinux@lists.fedoraproject.org; Zdenek Pytela Subject: [Non-DoD Source] RE: Unable to use audit2allow on avc denials
Sure thing, here is the AVC in the /var/log/messages file. I don't see this in /var/log/audit/audit.log but I see other logs in there.
Sep 20 09:03:14 redacted kernel: type=1400 audit(1505916193.999:16716): avc: denied { read } for pid=33245 comm="in:imfile" name="named.log" dev="dm-9" ino=143 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:named_cache_t:s0 tclass=file
Srangely, auditd doesn't seem to be running and systemctl can't interact with it. Possibly because of a dependency
Failed to stop auditd.service: Operation refused, unit auditd.service may be requested by dependency only.
See system logs and 'systemctl status auditd.service' for details.
● auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2017-09-13 14:06:04 CDT; 6 days ago
Docs: man:auditd(8)
https://urldefense.proofpoint.com/v2/url?u=https-3A__people.redhat.com_sgrub...
Process: 911 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
Process: 910 ExecStart=/sbin/auditd -n (code=exited, status=6)
Main PID: 910 (code=exited, status=6)
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
--Matthew Wilkinson
-----Original Message-----
From: Lukas Vrabec [mailto:lvrabec@redhat.com]
Sent: Wednesday, September 20, 2017 01:55
To: selinux@lists.fedoraproject.org
Subject: Re: Unable to use audit2allow on avc denials
[This is an external email. Be cautious with links, attachments and responses.]
**********************************************************************
On 09/20/2017 08:09 AM, Zdenek Pytela wrote:
On Mon, Sep 18, 2017 at 6:55 PM, Wilkinson, Matthew
<MatthewWilkinson@alliantenergy.com
Has anyone seen SELinux log to /var/log/messages but *not* to
/var/log/audit/audit.log? I have a situation that is being denied
by
SELinux and logging avc denials to /var/log/messages, however I
can't determine a way to fix it because I get nothing for this
denial logged to /var/log/audit/audit.log. This prevents me from
generating a policy using audit2allow or sealert.
Situation: I have a RHEL 7-based server which is running
bind-chroot
and I'd like for rsyslog to collect and send the named.log and
query.log to our centralized rsyslog server. With SELinux in
enforcing mode, rsyslog cannot read the named logs.
Do I need to write my own custom SELinux policy?
Hi Matthew,
I am afraid a new policy would not help you. Is auditd running and
writing other events (like intentionally triggered ones) to the audit.log?
Good question, is auditd running and writing other events? Also, it will be very helpful if you attach your AVC. There can be situation when auditd is not running yet during boot, so AVCs are logged into journal/syslog.
Please attach AVC and we can move forward.
Lukas.
Subsequent question, how the AVC's look like? Creating a policy module
might not be the best solution to your problem.
--
Zdenek Pytela, Technical support engineer and team lead Customer
Engagement and Experience, Red Hat Czech
E-mail: zpytela@redhat.com mailto:zpytela@redhat.com, IRC: zpytela
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe
send an email to selinux-leave@lists.fedoraproject.org
--
Lukas Vrabec
Software Engineer, Security Technologies Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
_______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
OK I am getting the "SELinux is preventing" messages in /var/log/messages now. It does recommend that I install this local policy
module my-inimfile 1.0;
require { type named_cache_t; type syslogd_t; class file read; }
#============= syslogd_t ============== allow syslogd_t named_cache_t:file read;
And another that does:
allow syslogd_t named_cache_t:file { getattr open read };
But I think it's working now. Should I report this as a bug? It seems like there should most definitely be a Boolean to allow rsyslog to read files outside of its domain.
Thanks,
--Matthew Wilkinson
-----Original Message----- From: Salowitz, Mark A CTR [mailto:Mark.A.Salowitz@uscg.mil] Sent: Wednesday, September 20, 2017 09:24 To: Wilkinson, Matthew; Lukas Vrabec; selinux@lists.fedoraproject.org; Zdenek Pytela Subject: RE: Unable to use audit2allow on avc denials
[This is an external email. Be cautious with links, attachments and responses.]
********************************************************************** Interesting, I discovered auditd dead on a RHEL7 server a few days ago; no logs as to why it stopped.
"/sbin/service auditd restart" will kick it back online, FYI.
Mark Salowitz, CTR CTS II PaaS Engineer USCG Operations Systems Center
-----Original Message----- From: Wilkinson, Matthew [mailto:MatthewWilkinson@alliantenergy.com] Sent: Wednesday, September 20, 2017 10:06 AM To: Lukas Vrabec; selinux@lists.fedoraproject.org; Zdenek Pytela Subject: [Non-DoD Source] RE: Unable to use audit2allow on avc denials
Sure thing, here is the AVC in the /var/log/messages file. I don't see this in /var/log/audit/audit.log but I see other logs in there.
Sep 20 09:03:14 redacted kernel: type=1400 audit(1505916193.999:16716): avc: denied { read } for pid=33245 comm="in:imfile" name="named.log" dev="dm-9" ino=143 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:named_cache_t:s0 tclass=file
Srangely, auditd doesn't seem to be running and systemctl can't interact with it. Possibly because of a dependency
Failed to stop auditd.service: Operation refused, unit auditd.service may be requested by dependency only.
See system logs and 'systemctl status auditd.service' for details.
● auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2017-09-13 14:06:04 CDT; 6 days ago
Docs: man:auditd(8)
https://urldefense.proofpoint.com/v2/url?u=https-3A__people.redhat.com_sgrub...
Process: 911 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
Process: 910 ExecStart=/sbin/auditd -n (code=exited, status=6)
Main PID: 910 (code=exited, status=6)
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
--Matthew Wilkinson
-----Original Message-----
From: Lukas Vrabec [mailto:lvrabec@redhat.com]
Sent: Wednesday, September 20, 2017 01:55
To: selinux@lists.fedoraproject.org
Subject: Re: Unable to use audit2allow on avc denials
[This is an external email. Be cautious with links, attachments and responses.]
**********************************************************************
On 09/20/2017 08:09 AM, Zdenek Pytela wrote:
On Mon, Sep 18, 2017 at 6:55 PM, Wilkinson, Matthew
<MatthewWilkinson@alliantenergy.com
Has anyone seen SELinux log to /var/log/messages but *not* to
/var/log/audit/audit.log? I have a situation that is being denied
by
SELinux and logging avc denials to /var/log/messages, however I
can't determine a way to fix it because I get nothing for this
denial logged to /var/log/audit/audit.log. This prevents me from
generating a policy using audit2allow or sealert.
Situation: I have a RHEL 7-based server which is running
bind-chroot
and I'd like for rsyslog to collect and send the named.log and
query.log to our centralized rsyslog server. With SELinux in
enforcing mode, rsyslog cannot read the named logs.
Do I need to write my own custom SELinux policy?
Hi Matthew,
I am afraid a new policy would not help you. Is auditd running and
writing other events (like intentionally triggered ones) to the audit.log?
Good question, is auditd running and writing other events? Also, it will be very helpful if you attach your AVC. There can be situation when auditd is not running yet during boot, so AVCs are logged into journal/syslog.
Please attach AVC and we can move forward.
Lukas.
Subsequent question, how the AVC's look like? Creating a policy module
might not be the best solution to your problem.
--
Zdenek Pytela, Technical support engineer and team lead Customer
Engagement and Experience, Red Hat Czech
E-mail: zpytela@redhat.com mailto:zpytela@redhat.com, IRC: zpytela
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe
send an email to selinux-leave@lists.fedoraproject.org
--
Lukas Vrabec
Software Engineer, Security Technologies Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
_______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
----- Original Message -----
From: "Matthew Wilkinson" MatthewWilkinson@alliantenergy.com To: "Lukas Vrabec" lvrabec@redhat.com, selinux@lists.fedoraproject.org, "Zdenek Pytela" zpytela@redhat.com Sent: Wednesday, September 20, 2017 7:06:16 AM Subject: RE: Unable to use audit2allow on avc denials
Sure thing, here is the AVC in the /var/log/messages file. I don't see this in /var/log/audit/audit.log but I see other logs in there.
Sep 20 09:03:14 redacted kernel: type=1400 audit(1505916193.999:16716): avc: denied { read } for pid=33245 comm="in:imfile" name="named.log" dev="dm-9" ino=143 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:named_cache_t:s0 tclass=file
Why is named.log in the /var/cache directory? Should it not be in /var/log?
This might explain why you are getting the SELinux warning
Srangely, auditd doesn't seem to be running and systemctl can't interact with it. Possibly because of a dependency
Failed to stop auditd.service: Operation refused, unit auditd.service may be requested by dependency only. See system logs and 'systemctl status auditd.service' for details.
● auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Wed 2017-09-13 14:06:04 CDT; 6 days ago Docs: man:auditd(8) https://people.redhat.com/sgrubb/audit/ Process: 911 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS) Process: 910 ExecStart=/sbin/auditd -n (code=exited, status=6) Main PID: 910 (code=exited, status=6)
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
--Matthew Wilkinson
-----Original Message----- From: Lukas Vrabec [mailto:lvrabec@redhat.com] Sent: Wednesday, September 20, 2017 01:55 To: selinux@lists.fedoraproject.org Subject: Re: Unable to use audit2allow on avc denials
[This is an external email. Be cautious with links, attachments and responses.]
On 09/20/2017 08:09 AM, Zdenek Pytela wrote:
On Mon, Sep 18, 2017 at 6:55 PM, Wilkinson, Matthew <MatthewWilkinson@alliantenergy.com mailto:MatthewWilkinson@alliantenergy.com> wrote:
Has anyone seen SELinux log to /var/log/messages but *not* to /var/log/audit/audit.log? I have a situation that is being denied by SELinux and logging avc denials to /var/log/messages, however I can't determine a way to fix it because I get nothing for this denial logged to /var/log/audit/audit.log. This prevents me from generating a policy using audit2allow or sealert. Situation: I have a RHEL 7-based server which is running bind-chroot and I'd like for rsyslog to collect and send the named.log and query.log to our centralized rsyslog server. With SELinux in enforcing mode, rsyslog cannot read the named logs. Do I need to write my own custom SELinux policy?
Hi Matthew,
I am afraid a new policy would not help you. Is auditd running and writing other events (like intentionally triggered ones) to the audit.log?
Good question, is auditd running and writing other events? Also, it will be very helpful if you attach your AVC. There can be situation when auditd is not running yet during boot, so AVCs are logged into journal/syslog.
Please attach AVC and we can move forward.
Lukas.
Subsequent question, how the AVC's look like? Creating a policy module might not be the best solution to your problem.
--
Zdenek Pytela, Technical support engineer and team lead Customer Engagement and Experience, Red Hat Czech E-mail: zpytela@redhat.com mailto:zpytela@redhat.com, IRC: zpytela
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
-- Lukas Vrabec Software Engineer, Security Technologies Red Hat, Inc. _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
No, named.log and query.log are in the default locations in /var/named/data it was just that rsyslogd couldn't read files in the data dir because of the context differences.
--Matthew Wilkinson
-----Original Message----- From: Simon Sekidde [mailto:ssekidde@redhat.com] Sent: Wednesday, September 20, 2017 16:00 To: Wilkinson, Matthew Cc: Lukas Vrabec; selinux@lists.fedoraproject.org; Zdenek Pytela Subject: Re: Unable to use audit2allow on avc denials
[This is an external email. Be cautious with links, attachments and responses.]
**********************************************************************
----- Original Message -----
From: "Matthew Wilkinson" MatthewWilkinson@alliantenergy.com To: "Lukas Vrabec" lvrabec@redhat.com, selinux@lists.fedoraproject.org, "Zdenek Pytela" zpytela@redhat.com Sent: Wednesday, September 20, 2017 7:06:16 AM Subject: RE: Unable to use audit2allow on avc denials
Sure thing, here is the AVC in the /var/log/messages file. I don't see this in /var/log/audit/audit.log but I see other logs in there.
Sep 20 09:03:14 redacted kernel: type=1400 audit(1505916193.999:16716): avc: denied { read } for pid=33245 comm="in:imfile" name="named.log" dev="dm-9" ino=143 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:named_cache_t:s0 tclass=file
Why is named.log in the /var/cache directory? Should it not be in /var/log?
This might explain why you are getting the SELinux warning
Srangely, auditd doesn't seem to be running and systemctl can't interact with it. Possibly because of a dependency
Failed to stop auditd.service: Operation refused, unit auditd.service may be requested by dependency only. See system logs and 'systemctl status auditd.service' for details.
● auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Wed 2017-09-13 14:06:04 CDT; 6 days ago Docs: man:auditd(8) https://people.redhat.com/sgrubb/audit/ Process: 911 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS) Process: 910 ExecStart=/sbin/auditd -n (code=exited, status=6) Main PID: 910 (code=exited, status=6)
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
--Matthew Wilkinson
-----Original Message----- From: Lukas Vrabec [mailto:lvrabec@redhat.com] Sent: Wednesday, September 20, 2017 01:55 To: selinux@lists.fedoraproject.org Subject: Re: Unable to use audit2allow on avc denials
[This is an external email. Be cautious with links, attachments and responses.]
On 09/20/2017 08:09 AM, Zdenek Pytela wrote:
On Mon, Sep 18, 2017 at 6:55 PM, Wilkinson, Matthew <MatthewWilkinson@alliantenergy.com mailto:MatthewWilkinson@alliantenergy.com> wrote:
Has anyone seen SELinux log to /var/log/messages but *not* to /var/log/audit/audit.log? I have a situation that is being denied by SELinux and logging avc denials to /var/log/messages, however I can't determine a way to fix it because I get nothing for this denial logged to /var/log/audit/audit.log. This prevents me from generating a policy using audit2allow or sealert. Situation: I have a RHEL 7-based server which is running bind-chroot and I'd like for rsyslog to collect and send the named.log and query.log to our centralized rsyslog server. With SELinux in enforcing mode, rsyslog cannot read the named logs. Do I need to write my own custom SELinux policy?
Hi Matthew,
I am afraid a new policy would not help you. Is auditd running and writing other events (like intentionally triggered ones) to the audit.log?
Good question, is auditd running and writing other events? Also, it will be very helpful if you attach your AVC. There can be situation when auditd is not running yet during boot, so AVCs are logged into journal/syslog.
Please attach AVC and we can move forward.
Lukas.
Subsequent question, how the AVC's look like? Creating a policy module might not be the best solution to your problem.
--
Zdenek Pytela, Technical support engineer and team lead Customer Engagement and Experience, Red Hat Czech E-mail: zpytela@redhat.com mailto:zpytela@redhat.com, IRC: zpytela
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
-- Lukas Vrabec Software Engineer, Security Technologies Red Hat, Inc. _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
-- Simon Sekidde gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E
Hmmm.....I haven't seen this mentioned....but could some of these problems be a symptom of problematic SELinux file labeling ?
Perhaps running 'fixfiles onboot' then a reboot could correct this type of problem.
***** ***** ***** Michael D. Parker General Atomics – ElectroMagnetics Systems Division (EMS) Michael.d.parker@ga.com <<<<< NOTE: Remember to include my middle initial >>>>>
************************************************************************ CONFIDENTIALITY NOTICE: This communication is intended to be confidential to the person(s) to whom it is addressed. If you are not the intended recipient or the agent of the intended recipient or if you are unable to deliver this communication to the intended recipient, you must not read, use or disseminate this information. If you have received this communication in error,please advise the sender immediately by telephone and delete this messageand any attachments without retaining a copy. *************************************************************************
-----Original Message----- From: Wilkinson, Matthew [mailto:MatthewWilkinson@alliantenergy.com] Sent: Wednesday, September 20, 2017 2:09 PM To: Simon Sekidde ssekidde@redhat.com Cc: Zdenek Pytela zpytela@redhat.com; selinux@lists.fedoraproject.org Subject: -EXT-RE: Unable to use audit2allow on avc denials
No, named.log and query.log are in the default locations in /var/named/data it was just that rsyslogd couldn't read files in the data dir because of the context differences.
--Matthew Wilkinson
-----Original Message----- From: Simon Sekidde [mailto:ssekidde@redhat.com] Sent: Wednesday, September 20, 2017 16:00 To: Wilkinson, Matthew Cc: Lukas Vrabec; selinux@lists.fedoraproject.org; Zdenek Pytela Subject: Re: Unable to use audit2allow on avc denials
[This is an external email. Be cautious with links, attachments and responses.]
**********************************************************************
----- Original Message -----
From: "Matthew Wilkinson" MatthewWilkinson@alliantenergy.com To: "Lukas Vrabec" lvrabec@redhat.com, selinux@lists.fedoraproject.org, "Zdenek Pytela" zpytela@redhat.com Sent: Wednesday, September 20, 2017 7:06:16 AM Subject: RE: Unable to use audit2allow on avc denials
Sure thing, here is the AVC in the /var/log/messages file. I don't see this in /var/log/audit/audit.log but I see other logs in there.
Sep 20 09:03:14 redacted kernel: type=1400 audit(1505916193.999:16716): avc: denied { read } for pid=33245 comm="in:imfile" name="named.log" dev="dm-9" ino=143 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:named_cache_t:s0 tclass=file
Why is named.log in the /var/cache directory? Should it not be in /var/log?
This might explain why you are getting the SELinux warning
Srangely, auditd doesn't seem to be running and systemctl can't interact with it. Possibly because of a dependency
Failed to stop auditd.service: Operation refused, unit auditd.service may be requested by dependency only. See system logs and 'systemctl status auditd.service' for details.
● auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Wed 2017-09-13 14:06:04 CDT; 6 days ago Docs: man:auditd(8) https://people.redhat.com/sgrubb/audit/ Process: 911 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS) Process: 910 ExecStart=/sbin/auditd -n (code=exited, status=6) Main PID: 910 (code=exited, status=6)
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
--Matthew Wilkinson
-----Original Message----- From: Lukas Vrabec [mailto:lvrabec@redhat.com] Sent: Wednesday, September 20, 2017 01:55 To: selinux@lists.fedoraproject.org Subject: Re: Unable to use audit2allow on avc denials
[This is an external email. Be cautious with links, attachments and responses.]
On 09/20/2017 08:09 AM, Zdenek Pytela wrote:
On Mon, Sep 18, 2017 at 6:55 PM, Wilkinson, Matthew <MatthewWilkinson@alliantenergy.com mailto:MatthewWilkinson@alliantenergy.com> wrote:
Has anyone seen SELinux log to /var/log/messages but *not* to /var/log/audit/audit.log? I have a situation that is being denied by SELinux and logging avc denials to /var/log/messages, however I can't determine a way to fix it because I get nothing for this denial logged to /var/log/audit/audit.log. This prevents me from generating a policy using audit2allow or sealert. Situation: I have a RHEL 7-based server which is running bind-chroot and I'd like for rsyslog to collect and send the named.log and query.log to our centralized rsyslog server. With SELinux in enforcing mode, rsyslog cannot read the named logs. Do I need to write my own custom SELinux policy?
Hi Matthew,
I am afraid a new policy would not help you. Is auditd running and writing other events (like intentionally triggered ones) to the audit.log?
Good question, is auditd running and writing other events? Also, it will be very helpful if you attach your AVC. There can be situation when auditd is not running yet during boot, so AVCs are logged into journal/syslog.
Please attach AVC and we can move forward.
Lukas.
Subsequent question, how the AVC's look like? Creating a policy module might not be the best solution to your problem.
--
Zdenek Pytela, Technical support engineer and team lead Customer Engagement and Experience, Red Hat Czech E-mail: zpytela@redhat.com mailto:zpytela@redhat.com, IRC: zpytela
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
-- Lukas Vrabec Software Engineer, Security Technologies Red Hat, Inc. _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
-- Simon Sekidde gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E
_______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
I wasn't aware that rsyslogd ever READ log files. Why would it?
Bill
On 9/20/2017 5:09 PM, Wilkinson, Matthew wrote:
No, named.log and query.log are in the default locations in /var/named/data it was just that rsyslogd couldn't read files in the data dir because of the context differences.
--Matthew Wilkinson
-----Original Message----- From: Simon Sekidde [mailto:ssekidde@redhat.com] Sent: Wednesday, September 20, 2017 16:00 To: Wilkinson, Matthew Cc: Lukas Vrabec; selinux@lists.fedoraproject.org; Zdenek Pytela Subject: Re: Unable to use audit2allow on avc denials
selinux@lists.fedoraproject.org